Smile TextExpander 6

The TextExpander utility saves keystrokes by letting you type a short sequence that’s replaced by a longer one. That’s the heart of the app, which has expanded (sorry) its repertoire of replacement types over time to include form letters with fill-in and drop-down elements, a library of emoji, and a host of placeholders for date, time, the contents of the clipboard, and other elements.

The previous updates for OS X and iOS are less than a year old; we reviewed version 5 of TextExpander for OS X last June and our high opinion of the core software remains unchanged.

However, the reason for this new review is a significant change in how its maker, Smile, prices its new version, which is coupled with mandatory cloud-based synchronization through its own servers, as well as options to share continuously updated snippets for individual users and groups.

With the new ecosystem, the TextExpander apps for OS X and iOS (and a beta for Windows 7 and later) cost nothing but work only when there’s an active monthly or yearly subscription. Further, the company’s website becomes a required hub for all users, whether they sync and share or not.

The web app manages sharing snippets, which are organized by type and use icons to identify additional characteristics, like globally shared.

For details about core features in TextExpander, consult our version 5 review. In this review, I’ll point out changes in the snippet editor, but will be focused on the ecosystem of apps: First, how it all works; next, security decisions and tradeoffs; and finally, how existing users should approach the new arrangement.

But I can start with the conclusion: This first iteration is overpriced for most users’ needs, and removing the ability to use TextExpander on a standalone basis with a less efficient personal sync doesn’t give existing customers any advantage. Smile says it plans to add additional features and sophistication, which may ultimately make it worth the price to some users in the future, including those upgrading from the previous standalone releases. But we review the software and service in front of us, not a future version we can’t test.

Moving to cloud city

The new set of TextExpander apps revolve around and connect to Smile’s servers. You’re required to set up an account and it has to be in good standing—currently paid for and active—to use snippets on any copy of the app you have, as well as to access sharing features on the website. If you’re logged out or the subscription lapses, snippets disappear. (They can be exported from the OS X version to retain copies.)

When your subscription is inactive, TextExpander empties all the snippets.

The new app versions comprise TextExpander 6 for OS X, TextExpander 4 for iOS, and TextExpander 1 for Windows (in beta). There’s no purchase cost for the apps. The two subscription levels are labeled Life Hacker (for consumers) at $5 billed monthly or $47.50 per year and Team (for businesses) at $10 billed monthly or $95.50 pear year. Smile offers a 30-day trial for both flavors of its service. (Owners of previous releases receive a lifetime discount on the Life Hacker tier’s yearly rate.)

Both tiers allow something previously unavailable in TextExpander: publishing snippets to others that push out updates whenever the source snippet is changed. Previously, TextExpander required exporting a snippet group (a folder that collects items), sending that or loading it on a shared local or cloud server, and importing it in another copy of the app. (That option remains available.) Further, anyone with permissions to edit a shared snippet can make changes, and those revisions are in turn pushed to everyone that’s part of the shared group.

The Life Hacker flavor lets subscribers share with any other user by email address. The Team version adds administrator-level features for showing group members, managing permissions, automatically pushing groups of snippets to people joining an organization or already part of it and consolidated billing.

TextExpander now includes a Team tier for sharing snippets across an organization, managed via its web app.

This new ecosystem adds an ok, but slightly awkward web app to the mix. When logged into an account at Textexpander.com, you have the same access to groups of snippets and individual entries, and can even edit and add snippets using all the tools available in the native apps. (The website is also the only way to edit snippets with the current Windows beta, which lacks a front-end interface, and can only expand snippets defined elsewhere.)

Some snippet groups can’t be shared, and the iconography isn’t crystal clear. If you see an icon with a single person that also has an orange plus-sign icon to its right, you can add other users. The Suggested Snippets group, however, can’t be shared, but has the single-person icon. Groups identified with a globe are set “worldwide” by Smile, such as for emoji.

Clicking the plus sign lets you enter email addresses, but not (yet at least) select people with whom you’ve already shared other snippets. There’s no global or local address book, which reduces utility, though ensures more privacy. You can set permissions for whether newly added people have admin privileges, can edit, or further share the group, or change the permissions at any time as an admin for anyone with whom you’re currently sharing.

Teams have more controls, with admins being able to assign snippet groups that are automatically added to new or existing users’ accounts. Team-shared snippets can be shared with guests outside the team, but a snippet group created for a team or moved under team management can’t be converted back to a regular group via the web interface. Instead, you have to export it and import it back in, then delete the team version.

Syncing and sharing are the same thing in this new ecosystem, and in my testing, it worked equally well on my devices with the same account and among devices logged in to different accounts that were sharing snippet groups.

The one significant change in the apps, by the way, involves both improvement and omission. A redesigned snippet editor has drop-down menus with all the special features, like inserting time-based placeholders, system keys, fill-in items, and the rest. This is a far superior interface for both new and experienced users. The editor is identical across the Mac, iOS, and web apps.

A refresh snippet editor is the same in Web, iOS, and OS X apps, and is a nice bump up in being explicable to new and veteran users alike.

However, there’s also a step back. TextExpander for OS X used to have a split-pane view that provided a live preview as you assembled a snippet. This preview now requires a keystroke (Command-Return), which produces a modal dialog that has to be dismissed. In the iOS app, tapping a forward arrow brings up a preview and tapping a back arrow takes one back. The web app lacks a preview entirely.

And there’s an odd and unfortunate omission in this first outing related to sharing. You can’t manage shared snippet groups via the native apps. Sharing, adding people, managing permissions, and other tasks can only be done via the web app. While I expect that will be remedied in future releases of the apps, it makes it feel as if the ecosystem was released too soon.

The Windows client is still in beta testing, and didn’t work well for me on an up-to-date Windows 10 laptop; I couldn’t get it to expand with the latest beta release and restarting the laptop. It’s also “headless,” as noted above, and has no snippet-editing or preferences interface.

Hidden in plain sight

Previously, Smile hasn’t stored any snippet information on servers under its control. Any syncing involved required a third-party service, and snippets were as vulnerable to disclosure as the policies and protections offered by those other firms, like Dropbox and Apple (for iCloud).

The iOS app (shown), web app, and OS X app show the same organization by how snippet groups are shared and owned. But sharing is managed exclusively at the Web site.

Now, central storage of snippets is mandatory. The new ecosystem stores everything on Smile’s servers, uses the web app as a view into storage and administration, and treats apps as synchronized end points. This invites more scrutiny of Smile’s security and encryption. The company’s co-founder, Greg Scown, answered a number of questions via email that weren’t on the firm’s website as I wrote this, but the company plans to provide more detail.

Smile fundamentally maintains that its users shouldn’t put anything that’s generally useful to another party if it were stolen, such as social security numbers and passwords. That’s impossible to enforce, of course, and snippets used inside a company—even the full set of responses a company uses for customer service—could reveal sensitive information alone or when viewed as a set.

All the apps and the website use the most recent secure version of TLS (version 1.2) for encrypted sessions, such as over https. However, the apps and website don’t use certificate pinning, in which the digital certificates used to validate identity are restricted to be accepted only if issued by a small number of outside parties. Pinning prevents subverting operating systems through malware that can install root certificates that would produce valid-looking documents that a pinned app would reject, but a non-pinned one would accept. It’s seen by security experts as a best practice for iOS apps by Apple and for apps in general.

Scown says Smile stores snippets at rest in unencrypted form on database servers operated by Compose.io, an IBM company. The company evaluated using solutions in which data is always encrypted except during the moments items are needed for syncing or updating, and found the other security elements—such as how passwords were restricted—were lacking in its evaluation.

There’s a difference between unencrypted and insecure, and it’s not de facto unsafe that Smile has made this choice. An attacker has to defeat multiple lines of defense to obtain the raw data—like two-factor authentication—and the raw data in snippets isn’t likely to be as valuable (and thus it’s much less likely to be a target) as, say, information stored by a password-syncing company like AgileBits or LastPass. Data encrypted “at rest” is yet another bar an attacker has to pass, but it’s not insuperable, either.

However, I believe Smile’s approach is naive given the current security climate. Other firms operating sync, backup, and hosting services that have native and web clients can let subscribers create a private passphrase that’s used for a per-account encryption key so that data is always encrypted in storage. These systems can support various methods to allow shared access to the same resource, as well.

This may seem like overkill and it adds a support burden to Smile (a lost passphrase means snippets would be unavailable unless backed up locally), but with their subscription cost, this seems like a reasonable baseline for which to ask. There are many approaches, and Smile chose none of them.

One more issue, highlighted after this review was originally published. The terms of service for TextExpander states explicitly, “The Service is not intended for use by users employed by any federal, state or local government.” This is likely intended to reduce liability, but it strikes another sour security note.

At a Glance

Smile TextExpander 6

TextExpander moves from paid apps to a subscription ecosystem with identical apps and an immature Web interface.

Pros

Company-run cloud service avoids need for third-party storage or account

Seamless fast synchronization among devices and other users and team members